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About this Guide 


Thank you for your interest in Oualys Industrial Control System (ICS). Qualys Industrial 
Control System (ICS) provides comprehensive visibility and vulnerability management for 
critical infrastructure across all industrial network layers - Control, Supervisory, and Site 
Operations. 


About Qualys 


Qualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of cloud-based security and 
compliance solutions. The Qualys Cloud Platform and its integrated apps help businesses 
simplify security operations and lower the cost of compliance by delivering critical 
security intelligence on demand and automating the full spectrum of auditing, 
compliance and protection for IT systems and web applications. 


Founded in 1999, Qualys has established strategic partnerships with leading managed 
service providers and consulting organizations including Accenture, BT, Cognizant 
Technology Solutions, Deutsche Telekom, Fujitsu, HCL, HP Enterprise, IBM, Infosys, NTT, 
Optiv, SecureWorks, Tata Communications, Verizon and Wipro. The company is also 
founding member of the Cloud Security Alliance (CSA). For more information, please visit 
www.gualys.com 


Qualys Support 


Oualys is committed to providing you with the most thorough support. Through online 
documentation, telephone help, and direct email support, Oualys ensures that your 
guestions will be answered in the fastest time possible. We support you 7 days a week, 
24 hours a day. Access support information at www.gualys.com/support/ 
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Industrial Control System (ICS) Overview 


Qualys Industrial Control System (ICS), provides a real-time asset inventory, network 
visibility, and vulnerability management for industrial control systems. Qualys ICS serves 
as a powerful tool to reduce the risk of costly and dangerous cyber security breaches with 
an intuitive interface and a fully automated risk assessment workflow. Qualys provides a 
single application and a single pane of glass for all IT & OT Asset Inventory, Vulnerabilities 
Management, Policy Compliance as well as OT Endpoint based Threat Detection and 
Response. 


Introduction 


Industrial IoT (IIOT) and smart manufacturing greatly enhance the Overall Equipment 
Efficiency (OEE) and cost savings. However, they also increase enterprises' exposure to 
cyber-attacks due to rapid digitization and newly established interconnectivity between 
previously air-gapped industrial environments and the enterprise networks. Industrial 
assets have higher availability and reliability requirements. Their functioning round the 
clock and malfunction can potentially lead to significant physical safety incidents. Any 
downtime incurred by making changes or installing updates to these systems need careful 
planning to ensure the minimum level of service disruption. 


Typically, industrial processes are supported by multiple equipment manufactured by 
different industrial vendors and powered by varied industrial protocols such as 
Ethernet/IP, Modbus TCP, Siemens S7 Comm, S7Comm Plus, Profinet, BACnet, and DNP3, 
among others. Many of these protocols are insecure by design, lacking basic 
authentication and encryption, so it is even more critical to have visibility and regular risk 
assessments conducted in these environments. 


ICS security is defined as protecting industrial control systems from threats from cyber 
attackers. It is often referred to as OT security. It includes a wide range of practices 
including asset inventory and detection and vulnerability management. 


Identifying network vulnerabilities is the most crucial step. Qualys ICS identifies the 
existing vulnerabilities and recommends a cyber risk mitigation solution. 


The Purdue model is a reference architecture model for ICS. It divides the system into 
multiple levels: Purdue level 0 to Purdue level 5. 


As shown in the following Purdue level reference model, the ICS provides asset inventory, 
network visibility, and vulnerability postures at all Purdue levels. 


Qualys Network Passive Sensor can latch on the mirrored port of a network switch which 
can see traffic from assets present in Purdue levels 0, 1 and 2 and passively listen to 
traffic, dissect the protocol, and build the asset inventory. 


Qualys Active Scanner can be used in safe scanning mode to support the industrial scan. 
It can safely discover PLC, RTU, and equipment running at the controller layer without 
disrupting the environment. Qualys Active Scanner can also scan the end points present 
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in levels 2, 3, and 3.5 to take care of all engineering workstation and SCADA servers, 
operating stations, site operation equipment like manufacturing execution system, ERP, 
jump-boxes in RTU. 


Qualys Cloud Agents deployed in these environments can provide continuous visibility 
and continuous posture of vulnerabilities. 


ICS Out of band Configuration Assessment can also be used for building asset inventory. 
This is useful in case of other methods (Qualys Network Passive Sensor or Qualys Cloud 
Agent) of creating asset inventory is not available. 


Purdue Level 4/5 44 Éd | 
i I 
Enterprise 1 
PR MER ! 
Purdue Level 3.5 ‘Qualys 
Tra ! Cloud 
DMZ 1 H 
! i Agent 
pa UY 1 iQualys 1 
Purdue Level 3 } ! Active l 
i 1 1 
Site Operations | iScanner! 
ue UII E. | 1 l 
Purdue Level 2 H 1 
Supervisory T E- 
SAE SIME 1 
Purdue Level 1 i | H Qualys 
i| | Network 
Control Devices 1 Passive 
1 
! Sensor 
I 
O Network Passive Sensor (8) Network Switch E Firewall 


Refer to the following table to view the ICS features availability on Oualys applications. 


Purdue Assets Feature Supported by Available on 
Level Qualys 
Applications 
Purdue Hardware like [Asset Inventory  Qualys Network ICS 
Levels 0/1/2 PLC, RTU, IO, Passive Sensor 
Robots, VFDs etc T 
Vulnerability ICS Out of band 
Management configuration 
assessment 
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Purdue OT/ICS OS-based  lAsset Inventory  VMDR VMDR 
Levels 2and endpoints hosting application CSAM 
above ICS Vendor (ICS safe active 
software - scan support in 
(Engineering Qualys Scanner 
Workstations, and Cloud Agent) 
R a Vulnerability VMDR VMDR 
A es Management (OT/ICS OS-based 
ervers, etc.) 
endpoints 
hosting ICS 
Vendor software) 
Policy Policy Policy 
Compliance Compliance Compliance 


application IEC 
62443 NERC CIP 
Policy 


Why Qualys ICS? 


Real-time ICS Asset Inventory 
Qualys ICS builds a comprehensive real-time asset inventory via multiple engines: 


-Qualys Network Passive Sensor dissects industrial protocols and gives visibility into 
various Purdue Levels, especially at Field and Control network layers. 


-Qualys extends the scanner capabilities to perform safe ICS discovery for industrial 
protocols. This new scan is designed to be safe and talks in the same language as 
industrial protocols querying the devices in the protocol language they understand. 


-ICS Out of band Configuration Assessment import the assets from using the project files 
collected from programming and maintenance software. 


Extensive ICS Protocol Support 


Qualys ICS supports a wide range of IT and ICS protocols such as S7Comm, S7comm Plus, 
Profinet, Ethernet IP, BACnet, Modbus TCP, DNP3, MQTT, IEC 104, CIP, IEC 61850- MMS, 
Beckhoff ADS, Omron, PCCC, Niagara Fox, and many more. 


Out of band Configuration Assessment 


Qualys supports Out of band Configuration Assessment. You can import the asset 
information using a project file, collected from programming and maintenance software. 
The ICS application parses the uploaded file with valuable data and creates assets from 
the data gathered. Qualys supports different vendors engineering tools such as Omron CX 
Programmer (.cxp), Rockwell RSLogix 500 (.RSS), Rockwell Studio 5000 (.L5X), Rockwell 
System Ferret (.Xml), Siemens DIGSI 4 (.zip), Siemens DIGSI 5 (.zip), Siemens DIGSI 5 (.dz5), 
and many more. 
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Robust Vulnerability Management 


Aualys ICS provides continuous vulnerability assessment on all discovered industrial 
assets. Hardware and firmware-based vulnerabilities impact PLCs, IOs, HMIs, Drives, etc., 
and software vulnerabilities affecting SCADA servers, Engineering software, HMI Software, 
etc., are covered via Passive sensor and Oualys scanner or a Cloud agent combined. 


Risk scores are based on asset criticality, severity of vulnerability, and availability of 
redundancy for the asset to assist with better prioritization and remediation actions. 


Broad Industrial Vendor Support 


Qualys ICS supports the major industry vendors like Siemens, Rockwell Automation, 
Schneider Electric, Wago, Johnson Controls, Niagara Fox, Beckhoff, Omron, ABB, and many 
more. 


Concepts and Terminologies 


Get familiar with common terms used in the ICS application. 


Terms Description 
QID tis a unique Qualys ID number assigned to the vulnerability. 
QQL Qualys Query Language (QQL) for building search queries are used to fetch 


information from Qualys databases. 


Severity Score Qualys assigns every vulnerability in the Knowledge Base a severity score that 
is determined by the security risk associated with its exploitation. 


GVE ID CVE (Common Vulnerabilities and Exposures) lists common names for 
publicly known vulnerabilities and exposures. These are CVE name(s) 
associated with this vulnerability check. 


Confirmed These are the vulnerabilities that are positively identified by OualysGuard. 
vulnerabilities 
Potential These are the vulnerabilities that cannot be fully verified. In these cases, at 


vulnerabilities least one necessary condition for the vulnerability is detected. 


CVSS Common Vulnerability Scoring System is an industry open standard designed 
to convey vulnerability severity and risk. 


Know the Requirements 


Industrial Control System application can be accessed with a subscription to VMDR, Cyber 
Security Asset Management (CSAM) and Qualys Network Passive Sensor (NPS) 
applications. 
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How does Gualys ICS work? 


ICS is powered by Oualys Network Passive Sensor. It continuously monitors all network 
traffic and flags any asset activity. It identifies and profiles devices the momentitis 
connected to the network. 


Oualys Network Passive Sensor (NPS) identifies assets in industrial environment that can't 
be actively scanned. Oualys Network Passive Sensor (NPS) enriches existing asset 
inventory with additional details, such as recent open ports, traffic summary, network 
services and applications in use. This helps to gain a deeper understanding of an asset and 
its activity on the network in real time. 


Asset discovery and collect Inventory - Once Oualys Network Passive Sensor is deployed 
and configured in the network, it starts passively listening to the network traffic and 
creating assets based on the information dissected from the traffic. For more details on 
deployment, refer to Deploying Qualys Network Passive Sensors. 


Over the period of time, with various asset activities seen on the wire, the passive sensor 
will continue to enhance the asset inventory attributes with additional contextual 
information. The time taken for a complete asset context to be built is based on the type 
of industrial protocol and type of activities performed in the environment. 


To expedite the asset discovery, refer to section Generating Traffic Using Device Discovery 
Method. 


Asset inventory can also be created using ICS Out of band configuration assessment using 
the project files collected from programming and maintenance software. For more 
information refer to section Importing Assets. 


Detect and Monitor - Qualys Network Passive Sensor monitors network activity without 
any active probing of devices to detect active assets in the network. The ICS asset 
inventory is continuously updated depending on the asset activities flagged by the Qualys 
Network Passive Sensor. For information about the ICS asset inventory, see Assets tab. 


To view network traffic which displays the communication between server and client refer 
to section Viewing Network Traffic. 


Vulnerabilities on ICS assets are detected and listed on the vulnerabilities tab. For more 
information refer to section Viewing Vulnerabilities. 
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Get Started with ICS 


Start building ICS inventory by 
- Deploying Oualys Network Passive Sensors 
- Importing Assets using ICS Out of band configuration assessment. 


- Generating Traffic Using Device Discovery Method from Programming software for 
configuring and managing the network devices. 


User Roles and Permissions 


Users can be created and assign a role to grant access as perthe role defined. 


Manager Users The most privileged users are Managers, as they have full privileges and access 
to all resources in the subscription. Only Manager users can create users and 
assign roles. Manager users can choose how the user can access the application 


Users Depending on the permissions assigned to the role, users can be categorized 
with all privileges or read-only privileges. 


Following are the permissions that can be granted to the user: 
- ICS UI Access 

- ICS View Asset Inventory Access 

- ICS Vulnerabilities Access 


- API Access 


Deploying Qualys Network Passive Sensors 


Upon deploying the Qualys Network Passive Sensor in the network, it starts sniffing the 
metadata of the network devices after the flow of traffic related to the device identity is 
generated on the network. Based on the collected device properties, the devices are added 
as assets to the Qualys ICS inventory. 


Deploy Qualys Network Passive Sensor in the network and enable it to listen to the 
mirrored port. For more details, refer to Qualys Network Passive Sensor Getting Start 
Guide. 
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Viewing Assets Details 


Assets tab displays a detailed consolidated view of the ICS assets. These are the devices in 
the industrial network that are discovered and profiled by the Qualys Network Passive 
Sensor. 


This real-time asset inventory provides the details related to asset metadata. It also helps 
to gauge the security posture of the industrial OT environment and mitigate the risk of 
potential cyber security threats by managing vulnerabilities well in advance. 


In the upper left corner, there is total count of the industrial assets in the network. 
EIUS ERU ECCO ee 


Assets 


2.37K 


Total Assets 83 92 
High Risk Devices Devices With Vulnerabilities Newly Discovered Inactive Devices | 


EQUIPMENT CATEGORY 1-50 of 2371 Owe 8 
industrial Control 
ASSET NAME TYPEAMPORTANGE VENDOR/MODEL LAST SEEN RISK SCORE vus L TAGS 


exrswooase Vo Module Rockwell Automation December 10, 2021 > 75 3 | 


@more > 
-— m Industrial Ethernet Switch Siemens December 10, 2021 8 


EQUIPMENT TYPE 


VENDOR 
Unidentified 


plese 


The assets table contains the list of discovered assets with the following details: 


- Asset name - Risk score of the asset 
- Hardware type of the asset - Vulnerabilities detected on the asset 
- Vendor/Model number - Asset tags 


- When the asset activity was last detected 
on the network 


In the search bar, QQL queries can be built to narrow down the scope of the asset search 
by using the supported search tokens. For more information, see Search Tokens for 
Industrial Control System in ICS Online help. 


Use the left pane filters to search for assets grouped into categories like equipment 
category, equipment type, vendor and so on. The assets that belong to the selected 
category are displayed in the assets table. 
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Below the search bar, assets are grouped under four categories: devices with a high risk 
score, devices on which vulnerabilities are detected, devices discovered by Oualys 
Network Passive Sensor within the past 24 hours, and devices on which no activity has 
been detected for the past seven days. Click each of these cards and get the assets listed 
by the selected category. 


Industrial Control System v DASHBOARD ASSETS NETWORK VULNERABILITIES IMPORT ASSETS & © M 


Q Search 


© AllTime v 


Il 


2.37K 


Total Assets 


7 days 


83 92 0 2.37K 


High Risk Devices Devices With Vulnerabilities Newly Discovered Inactive Devices 


The date and time range selector next to the search bar can be used to view assets 
discovered within a specific time period. 


DASHBOARD NETWORK VULNERABILITIES IMPORT ASSETS 


Industrial Control System ~ ASSETS 


Assets 


All Time v 


hardware.type:'OT Device“ and hardware.vendor:*Siemens* 


56 pine 4 January > 4 April > 
Today 1970 * 2022 * 
Total Assets 83 92 Su Mo Tu We Th Fr Sa Su Mo Tu We Th Fr Sa 


High Risk Devices Devices With Vulnerabilities] "^'^" 

Last7 Days eet | Hp 
Industrial Control... Last 30 Days 0800000 ELLE m 
This Month gooagaaagag gau Satay tase aa 


EQUIPMENT TYPE ASSET NAME TYPE/IMPORTANCE VENDO 60000600 Bh d UE $7595 1509 580 
OT Device 56 
je - OT Device | 
192.168.1.11 - Unidey 
VENDOR 00:01:2e:42:4f:61 | SAM v | | 80 v | 
Siemens 56 
Ve - OT Device Siem¢ 
OPERATING SYSTEM FAMILY As : 
e0:dc:a0:f5:bb:d3 
Unidentified 55 
Windows 1 Ve - OT Device Siemens December 10, 2021 
192.168.0.30 | 01:05 PMIST 
PASSIVE SENSOR F 
DES ISO s Je - OT Device Siemens December 10, 2021 
10.10.10.30 : 12:59 PMIST 
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To view more details of an asset, click the asset name. The Asset Details page contains 
asset information divided into various sections. 


<— Asset Details: BRTSW00386 


"v. INVENTORY 
Summary 


System Information 


< 


NETWORK 

Network Information 
Network Map 

Open Ports 


Traffic Summary 


SECURITY 


Vulnerabilities 


< 


SOURCE 
Passive Sensor 


Industrial OCA 


Asset Summary 


BRTSW00386 © 
Last seen on December 10, 2 


Identification 


e865aa02-addb-323f-8184-8f095818e4d1 


54:bf:64:6d:c9:ad 


India 


Precision Dell Inc. Precision 5820 Tower,0738 + HMI 


Activity 


Invalid date Invalid date 


192.168.1.180 No i/o connections established 


Industrial Control System (ICS) 1/0 Module 


dnp3enip ID_CODE 


December 10, 2021 12:57 PM IST October 12, 2021 02:46 PM IST 


The following table contains details as seen on each tab in each section: 


INVENTORY 


Summary 


Asset metadata such as asset name, ID, IP address, 
MAC address, equipment type, and industry protocol 
based on which the Qualys Network Passive sensor 
discovers the asset, description, assigned location of 
asset, first passive scan details and last passive scan 
details etc. 


System Information 


Manufacturer details, model number, serial number, 
firmware version, hardware version, product code, 
add-on details, protocol-specific information etc. 


NETWORK 


Network Information 


Interface details such as IPv4 address, IPv6 address, 
domain details, DNS server details, and protocols 
talking to devices on each interface. 


Network Map 


View the network map for the selected asset. 


Open Ports 


List of open ports and services running on those 
ports. 


Traffic Summary 


Traffic flow details for an asset. These may include a 
date-wise traffic volume summary for the client to 
server (CTS) and server to client (STC), traffic 
categorized by family and volume. 


[vel 


ECURITY 


Vulnerabilities 


Summarized view for potential and confirmed 
vulnerabilities on the asset. 


[vel 


ENSORS 


Passive Sensor 


Details of Qualys Network Passive Sensor that 
discovered the asset. 


Industrial OCA 


Details of Industrial OCA information regarding the 
asset. 
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Generating Traffic Using Device Discovery Method 


To speed up the discovery of the assets, device discovery method can also be used. Start 
generating traffic reguired for device identity and retrieve device information. The device 
information is retrieved from the programming software for configuring and managing 
the network devices. 


Refer to the Device Discovery Documents in ICS Online help, which contain the procedure 
to generate the traffic flow from the network without any additional configuration in the 
control system. The procedure varies depending on the programming software. Pick up 
the vendor software, and go ahead with the device discovery. 


Once the procedure of device discovery is completed, it triggers the necessary data flow 
related to device identity on the network. Oualys Network Passive Sensor sniffs and 
dissects this data to list the discovered devices in Oualys ICS. 


Viewing Vulnerabilities 


The Vulnerabilities tab gives a complete view of the vulnerability posture of the assets in 
the industrial network. 


In the upper left corner, there is total count of vulnerability detections in the network. 


Industrial Control System v DASHBOARD ASSETS NETWORK IMPORT ASSETS 8 © A 
Vulnerabilities Vulnerabilities SM 
Q © AllTime vo = 
SP Fiters v 1-50 of 676 4 © & 
Total Detections 
on TME SEVERITY LAST DETECTED FIRST DETECTED ASSET RACK/SLOT 
590191 Siemens SIMATIC, SIMOCODE, SINAMICS, SITOP and T.. HI Apr 25, 2022 Nov 23, 2021 10.113.218.21 - | 
Active 5:31 5:24 PM IST - 
EQUIPMENT TYPE 
Programmable L... 460 590241 Siemens SIMATIC S7-1500 (Update A) Vulnerability(ic.. = MII Apr 25,2022 Nov 23, 2021 10.113.218.21 
1/0 Module 122 Activo 5:31 PMIST 5:24 PM IST = 
| Industrial Etherne... 56 z = 
590210 Siemens SIMATIC S7-1200 and S7-1500 CPU Families .. MII Apr 25, 2022 Nov 23, 2021 10.113.218.21 
Communication .. 34 : = - - 
Active 1 n Š 
Motion Control 2 
| 1more v 590509 Schneider Electric Modicon Controllers Use of Insuffici.. Bi Apr 25,2022 Nov 23, 2021 10.113.218.93 
Active 5:31 PMIST 5:24 PM IST - 
SEVERITY 
590484 Schneider Electric Modicon Premium, Modicon Ouantu... [9 Apr 25, 2022 Nov 23, 2021 10.113.218.93 
À 475 Active 5:31 PM 5:24 PM IST . 
| 5 1 
590485 Schneider Electric PLCs (Update B) Multiple Vulnerabili.. MEE Apr 25,2022 Nov 23, 2021 10.113.218.93 
Lourreanv Active 521 PMST 5:24 PAI IST = 
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The vulnerabilities table contains the list of detected vulnerabilities and their following 
details: 


- OID, the unique Qualys ID assigned to the -When the vulnerability was first detected 
vulnerability on the asset 


-Vulnerability title -Asset on which the vulnerability is 
detected 


-Severity level (1-5) determined by the - Rack/Slot details 
security risk associated with its 
exploitation 


-When the vulnerability was last detected 
on the asset 


In the search bar, OOL queries can be built to narrow down the scope of the vulnerability 
search by using the supported search tokens. For more information, see Search Tokens for 
Industrial Control System in ICS Online help. Use the left pane filters to search for assets 
grouped into various categories. After clicking a category in this list, the selection gets 
translated into a QOL query in the search bar. The vulnerabilities that fit into the selected 
category are displayed in the vulnerabilities table. 


Industrial Control System V DASHBOARD ASSETS NETWORK VULNERABILITIES IMPORT ASSETS 
Vulnerabilities Vulnerabilities [Ramee ete 
| X vulnerabilities. typeDetected:*Confirmed* © All Time vE 
SP Fites v | 1-50 of 459 j uc & 
Total Detections 
QD TME SEVERITY LAST DETECTED FIRST DETECTED ASSET RACK/SLOT 
590210 Siemens SIMATIC S7-1200 and S7-1500 CPU Families (Update A) Multiple Vulnerabilities(ICSA-.. [II Apr 19, 2022 Nov 23, 2021 10.113.218.21 
Active 04:07 PM IST 0524 PM IST i 
EQUIPMENT TYPE 
Programmable L 296 590191 Siemens SIMATIC, SIMOGODE, SINAMICS, SITOP, and TIM (Update 1) Vulnerability(ICSA-19-099-... HI Apr 19,2022 Nov 23, 2021 10.113.218.21 
VO Module Active 04:07 PM IST 0524PM IST : 
GOULD 590241 Siemens SIMATIC S7-1500 (Update A) Vulnerability(ICSA-20-042-11) EEH Apr 19, 2022 Nov 23,2021 10.113.218.21 
Industrial Etherne. 3 04:07 PM IST 05:24PM IST - 
Motion Control 
1more s 590484 Schneider Electric Modicon Premium, Modicon Quantum, Modicon M340, and Modicon BMXNOR... MEIMEI Apr 19, 2022 Nov 23,2021 10.113.218.93 
j 04:07 PM IST 05:24PM IST + 
SEVERITY F " " " i m 
590468 Schneider Electric Modicon PLCs Insufficiently Protected Credentials Vulnerability (CSA-17-089.. MINI Apr 19, 2022 Nov 23, 2021 10.113.218.93 
i: ES Active ie AMET. 
04:07 PM IST 05:24 PM IST : 
5 1 
590509 Schneider Electric Modicon Controllers Use of Insufficiently Random Values Vulnerability (ICSA-.. = MII Apr 19, 2022 Nov 23,2021 10.113.218.93 
CATEGORY Active 04:07 PMIST 05:24 PM IST - 
ics 459 590238 Rockwell Automation ControlLogix PLC Multiple Vulnerabilities(ICSA-13-011-03) sun Dec 10,2021 Dec 10,2021 192.168.10.17 1/2 
New 11:08 AM IST 11:08 AM IST A 
TYPE DETECTED 
$ re 590334 Rockwell Automation MicroLogix Multiple Vulnerabilities(ICSA-18-095-01) OEH Dec 10,2021 Dec 10,2021 10.113.218.32 
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The date and time range selector next to the search bar can be used choose to view 
vulnerabilities detected within a specific time period. 


Industrial Control System v DASHBOARD ASSETS NETWORK VULNERABILITIES IMPORT ASSETS 


Vulnerabilities Vulnerabilities 


Knowledgebase 


XX  wulnerabilities.typeDetected: ‘Confirmed’ and vulnerabilities.hardware.type:*T/0 Module* All Time v E 


AllTime 


114 


1 January » 4 April » 
Prev | M 1970 202 UE 
Total Detections Vt Su Mo Tu We Th Fr Sa Su Mo Tu We Th Fr Sa 


Vester 
QD ME kl 


2203 MBEB BBBEBBHUD “ 


Last 7 Days 
590238 Rockwell Automation ControlLogix PLC Multiple Vulnerabilities(ICSA-13-011-03) gnugaggBg BHOSBBÀUB 
New Last 30 Days = = x 
EQUIPMENT TYPE J88EEE 5888988 
1/0 Module 114 590238 Rockwell Automation ControlLogix PLC Multiple Vulnerabilities(ICSA-13-011-03) vt Meri [79] Daga 
New Last Month 24 25 26 27 28 29 30 
SEVERITY 590328 Rockwell Automation 1794-AENT Flex 1/0 Series B Multiple Vulnerabilities(ICSA-20-294-01) | specific Range 
3 114 New 
l AM | l 20 | 
590328 Rockwell Automation 1794-AENT Flex 1/0 Series B Multiple Vulnerabilities(ICSA-20-294-01) 
CATEGORY p 
Ics 114 
590328 Rockwell Automation 1794-AENT Flex 1/0 Series B Multiple Vulnerabilities(ICSA-20-294-01) 2 2 
TYPE DETECTED New 1240 AM IST 1240 AM IST 
Confirmed 114 590328 Rockwell Automation 1794-AENT Flex 1/0 Series B Multiple Vulnerabilities(ICSA-20-294-01) mum Dec4, 2021 Dec 4 2021 172.22.54.52 
New 12:40 AMIST 12:40 AMIST á 
STATUS 
DERE a 590238 Rockwell Automation ControlLogix PLC Multiple Vulnerabilities(ICSA-13-011-03) sun Dec 4, 2021 Dec 4 2021 1722254157 
Ke ea New 1240 AM IST 12:40 AM IST : 
590238 Rockwell Automation ControlLogix PLC Multiple Vulnerabilities(ICSA-13-011-03) mma Dec 4, 2021 Dec 4, 2021 172.22.54.147 
VENDOR New 1240 AMIST 12:40 AM IST - 


To view details of a vulnerability, click the QID. 


The detection summary and general information about the detected vulnerability is 
displayed on the Vulnerability details page. On the Vulnerability Details page, information 
about known exploits for the vulnerability available from third-party vendors and/or 
publicly available sources, available patches to fix the vulnerability, and any published 
malware associated with the vulnerability are displayed. 


<— Vulnerability Details: Rockwell Automation 1794-AENT Flex I/O Series B Multiple Vulnerabilities(ICSA-20-294... 


VIEW MODE | . 
General Information 


General Information 


Explottability 


Rockwell Automation 1794-AENT Flex I/O Series B Multiple Vulnerabilities(ICSA-20-294-01) 
Patches 
CVE:[EVE-2020-6084][4 more | 
Malware Published Date: Jun 30, 2021 02:40 PM 
Severity: HIN 
Identification CVSS Summary Vulnerability Analysis 
QID: 590328 CVSSv2 Base: Exploitability: 0 
Category: Ics CVSSv2 Temporal Patches: 
Modified Date: 17 minutes ago 04:22 PM CVSSv3 Base: Malwares: 0 
Discovery Method: ^ REMOTE CVSSv3 Temporal 
Authentication: > Access Vector: NETWORK 
Supported Apps: vM Vendor Reference: ^ ICSA-20-294-01 


Impact 


Successful exploitation of these vulnerabilities could crash the device being accessed, resulting in a buffer overflow condition that may allow remote code execution. 


Solution 


Customers are advised to refer to CERT MITIGATIONS section ICSA-20-294-01 for affected packages and patching details. 
Patch: 

Following ere links for downlcading patches to fix the vulnerabilities: 

ICSA-20-294-01 
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Viewing KnowledgeBase 


We have the most up-to-date KnowledgeBase of vulnerabilities in the security industry 
and it's continuously getting updated. 


To view the KnowledgeBase tab, go to VULNERABILITIES tab and click KnowledgeBase. 


The KnowledgeBase tab contains details of vulnerabilities that can be detected in an 
industrial automation environment. You can use a variety of search filters to find 
vulnerabilities. Some of these filters include QID, vulnerability title, discovery method, 
severity level, category, patch availability, CVSS or CVSS v3 scores, published date, etc. 


Click Filters, and then in the Apply Filters, select the filters of your choice and click 
Search. 


Apply Filters 


QID 


590007 


Vulnerability title 


C) Not Siemens Automation License 


Discovery Method 


Select discovery Method d 


Authentication Type 


Select option(s) v 
User Configuration 


Disabled CBD 


You get the results based on your search criteria. 


Industrial Control System M DASHBOARD ASSETS NETWORK VULNERABILITIES IMPORT ASSETS & © pa | 
| 
Vulnerabilities Wises Knowledgebase 

YO Filter 1-1of1 C È 

CVSS 
QD TITLE SEVERITY CVEID VENDOR REFERENCE BASE TEMPORAL SCORE CVSS3 BASE BUGTRAQID MODIFIED/CREATED 
590007 Siemens Automation License M... HH CVE-2016-8563 ICSA-16-287-02 6.4 47 9.1 - Feb 20, 2020 
ICS CVE-2016-8565 Feb 20, 2020 
1more ¥ 
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Viewing Network Traffic 


The Network tab gives a complete view of network traffic in the industrial network. 
Multiple Oualys Network Passive Sensors can be deployed across the network. Each 
Qualys Network Passive Sensor has access to traffic with source and destination details in 
the flows. The Network tab shows all sources and destinations of the given port and 
protocol. The network list view displays the different protocols being used in the network 
and how the assets are communicating. 


In the search bar, QQL queries can be built to narrow down the scope of the network 
traffic search by using the supported search tokens. For more information, see Search 
Tokens for Industrial Control System in ICS Online help. 


Use the left pane filters to search for the network traffic grouped into various categories. 
After clicking a category in this list, selection gets translated into a OOL query in the 
search bar. The network traffic that fits the selected category is displayed in the network 
traffic table. 


] 
Industrial Control System v DASHBOARD ASSETS NETWORK VULNERABILITIES IMPORT ASSETS AG p 


Network List View 


X interfaces. transport protocol: tcp* © All Time IE 
1-50 of 402 ped 
Total Conversations 
SOURCE ASSET FIRST SEEN DESTINATION IOTOCOU TOTAL TOTAL TOTAL 
SOURCE ASSET TPE LAST SEEN DESTINATION ASSET ASSET TYPE TRANSPORT PROTOCOL PORT TRAFFIC INGRESS EGRESS 
10.113.231.81 Unknown From:Apr7,2022434PM — 10.114.3.240 Unknown ssl 443 17223MB 12468MB 47.56 MB 
ASSET TYPE x To: Apr 13, 2022 11:41 AM acte-service p09. 0 
Unknown 457 
TwinCAT Endpoint n 
| 10.113.231.77 Unknown From: Apr 7, 2022 5:37 PM External = ssl 443 8498MB 747IMB — 10.27MB 
| NIN10-77 To: Apr 13, 2022 11:40 AM - 
| APPLICATION PROTOCOLS SE 
ssl 127 
| http 24 10.113.213.154 E From: Apr 8, 2022539PM — 10.113.231.78 Unknown : 7680 14539KB  6842KB — 75.97KB 
Em 19 - To: Apr13,202211:39AM WIN10-78 
| matt 9 
eum 3 1011323177 Unknown From: Apr 5, 2022 5:36PM External - http. 80 18547MB 18058MB 490MB 
1077 To:Apr13,20221026AM — - 
TRANSPORT PROTOCOLS. 
| tcp 402 
10.113.231.77 Unknown From: Apr 8, 2022 10:13 PM — 10.114.25.21 Unknown dns 53 4608K8 — 4048KB — 560KB 
NIN10:77 To: Apr 13, 2022 9:30 AM - 
10.113.212.58 Unknown From: Apr13,20224:06 AM — 10.113.231.123 Unknown E 7680 28289 MB 27876MB 413MB 
- To: Apr 13, 2022 4:09 AM WIN10-12 
1011323177 Unknown From: Apr8,20229:03PM  10.113.231.78 Unknovin - 7680 49981KB 23569KB 264.12 KB 
NINIO-77 To: Apr 12,2022 11:46PM — WIN1078 
50:5 56:b6:50-fd 
1011323178 Unknown From: Apr 9, 2022 4:38 AM — 10113213154 - - 7680 111MB 109MB — 26.21KB 
WINTO- To: Apr 12, 2022 4:40 FM 
= 


The network table contains the lst of network traffic with the following details: 


- Source asset - Protocol/Transport protocol used for 
communication 

- Source asset type - Port on which they are communicating 

- When the asset was first and last  - Total traffic volume for the network 

seen communicating on the network 

- Destination Asset - Ingress traffic volume for the network 

- Destination asset type - Egress traffic for the network 
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Importing Assets 


Asset inventory can also be created using ICS Out of band configuration assessment. 
Asset can be imported using the project file. Project files are collected from programming 
and maintenance software, uploaded to the ICS application, and accessible from the 
account. The ICS application parses the uploaded file with valuable data and creates 
assets from the data gathered. 


On the Import Assets tab, there is option to upload project files. Project files support 
extensions like cxp, zip, xml, RSS and many more. 


You can view the procedure to generate a project file. The procedure varies depending on 
the programming software you use. We are supporting different vendors and software 
tools such as Omron CX Programmer (.cxp), Rockwell RSLogix 500 (.RSS), Rockwell Studio 
5000 (.L5X), Rockwell System Ferret (.xml), Siemens DIGSI 4 (.zip), Siemens DIGSI 5 (.zip), 
Siemens DIGSI 5 (.dz5) and many more. 


In the upper left corner, there is total count of project files uploaded. In the search bar, 
QQL queries can be built to narrow down the scope of the file search by using the 
supported search tokens. For more information, see Search Tokens for Industrial Control 
System in ICS Online help. 


Use the left pane filters to search for files grouped into various categories. After clicking a 
category in this list, the selection gets translated into a OOL query in the search bar. The 
files that fit into the selected category are displayed in the table. 


r 
| Industrial Control System M DASHBOARD ASSETS NETWORK VULNERABILITIES IMPORT ASSETS & G A 


X  file.extension:' .cxp* © All Time vI Z= 


Total Files 1-909 O0 LOS 


FILE NAME HASH EXTENSION TYPE STATUS T PLANT LOGATION LAST UPDATED VENDOR ASSETS 


Import Assets 


CP1H. Onboard ... ed48e1c685c3fb15.. .cxp Deleted dsdda =, ar Omron 

EXTENSION 5 

cxp 19 
CJ2M_Multiple_... c382058deedc68í9.. .cxp Imported CXP_SS Sh ‘ar Omron 3 

VENDOR April 5 

Omron 19 

PLANT LOCATION CS1D Devicenet 2b92b4f1083e42d3.. .cxp Imported CXP SS Si tar Omron 1 

CXP.SS 9 

SS.CXP 8 


The import asset table contains the following details: 


- File name - Plant location from where the files are 
gathered 

- Hash of the file - When the file was last updated 

- Extension type - Vendor of the file 

- Status like Imported, Importing, - Total number of assets in the file 


Failed, and Deleted 
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To upload the file, click Upload Project Files. 


Industrial Control System x DASHBOARD ASSETS NETWORK VULNERABILITIES IMPORT ASSETS ROA 


Import Assets 


Q Search © All Time v NES 


e A 25 ES 

Total Files 1-490149 LD) € > 
FILE NAME HASH EXTENSION TYPE STATUS PLANT LOCATION LAST UPDATED VENDOR ASSETS 
Multiple_Devices 004d1fa1085b07e3. zip Deleted testDIGSIS -p = Siemens 

EXTENSION April 27, 2022 

-exp 19 04:34 PM IST 

-L5X 17 

= 3 rack expansionio cdcbf90ea936543b..  .xef Imported TestkT -p = Schneider Automati.. 4 

3 April 27, 2022 


P * 03:09 PM IST 
-xef 1 


Tmore x 5,1EC61850_GO... dbe0f7582cb14342... zip Failed & testZIP S mp -ar 
VENDOR 
d Æ BAMBINO. 2015... aa3f01fce44e3a00.. RSS Imported Test E = Rockwell Automation 5 
Omron i April 18, 2022 
Siemens 3 03:23 PMIST 
Schneider Autom... 1 
Master. project2 445e01048e86fb40... .L5X Failed A Test Master sm r 


PLANT LOCATION 


April 6, 2022 


Provide the Plant Location name, select the file from the saved location using browse. 
Project files support extensions like cxp, RSS, zip, Xml, d5Z, zef, xef, cfg and many more. 


Note: The file extensions are case sensitive, ensure the extensions you are uploading are 
supported. 

Click Upload. 
Upload Project Files 


Upload your project file for parsing 


Plant Location * 


| Redwood 


248 characters remaining 


(4 J f re to att or browse 


5 more 


SLC54.RSS 


vart 31 KE 


The file is uploaded and shows the status as Imported. Depending on the uploading ofthe 
file, there can be different statuses like 


Importing - file is still uploading 
Imported - file is imported successfully 
Deleted - file is deleted 

Failed - file could not be imported 
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For more detail on how to generate the project file from programming and maintenance 
software, refer to Generating Project File in ICS Online help. 


Industrial Control System v DASHBOARD ASSETS NETWORK VULNERABILITIES IMPORT ASSETS & © M 


Import Assets 


Q All Time v IE 


jea Fi - mr 
Total Fes sore (00) HOS 


FILE NAME HASH EXTENSION TYPE STATUS PLANT LOCATION LAST UPDATED VENDOR ASSETS 
761861d39b0a8ec2... | Redwood eee sea | 
EXTENSION 


-CXP 
.L5X 


April 27, 2022 


Multiple Devices 00441fa1085b07e3... zip Importing testDIGSi5 = mr Siemens 0 
RSS April 27,2022 i 
-zip 04:36 PM IST 
-xef 
1more ¥ Multiple_Devices 004d1fa1085b07e3... .zip Deleted testDIGSI5 uu mur Siemens 0 
April 27,2022 
VENDOR 04:34 PM IST 
Rockwell Automa... rack expansionio cdcbf90ea936543b.. .xef Imported TestKT Sm m sear Schneider Automati... 1 
Omron April 27, 2022 
Siemens 03:09 PM IST 
Schneider Autom... 1 
5.IEC61850 GO... dbe0f7582cb14342.. zip Failed & testZIP magar z 0 
April 27,2022 
PLANT LOCATION 4124 AMIST. 


P SS 2 


21 


Managing ICS Dashboards 


Managing ICS Dashboards 


To visualize the assets and vulnerability postures, simply add widgets to dashboard. The 


dashboard tab is the home page for Industrial Control System (ICS). 

To see the ICS dashboard, select Industrial Control System from the application selector. 
On the dashboard, there are count cards like high risk devices, newly discovered devices, 
new vulnerabilities, active vulnerabilities and so on by default. 

There are different widgets like asset distribution by risk score, asset distribution by 


protocol, asset distribution by vendors and various widgets based on vulnerabilities by 
type, vulnerabilities by severity and so on. Add widgets can be used to add ICS related 


widgets. 
aod 


EM Pa an on A 
Industrial Control System v 
> AMT ~ AlTme v © Total Widgets Count: 18 / 80 6 Cue 
Modified Devices Total Devices E Active Vulnerabilities. 


High Risk Devices Newly Discovered Devices 


Unpaiched Vulnerabilities 
ASSETS DISTRIBUTION BY RISK SCORE ASSETS DISTRIBUTION BY PROTOCOLS ASSETS DISTRIBUTION BY VENDOR 
Total Total Total 
93 4.54K 1.7K 
Bo 1 W D CE 1060 SU B Unidentified 973 
. ro: SR I : A reed 
ms 1 E q Bins 530 = B Apple 99 
a5 52 Z B ont 249 E SI M Schneider Electric 94 
go 30 Ani ww E tonet 319 S E Siemens 13 
A m» JB Adtosah Flaten 37 


a 
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The widgets are interactive; clicking the specific part ofthe widget redirects to the related 
tab. 


For example, here in the above VULNERABILITIES BY TYPE widget, clicking Confirmed 
takes to the Vulnerability tab for the details of confirmed vulnerabilities. 


Industrial Control System v DASHBOARD ASSETS NETWORK VULNERABILITIES IMPORT ASSETS 20 A 


Industrial Control System v 


8 5 ^l AlTime ~ |O Total Widgets Count 18/ 80 eo C dad 
VULNERABILITIES BY TYPE : VULNERABILITIES BY SEVERITY VULNERABILITIES BY ASSET TYPE 
ASSET NAME COUNT 
Total Hs 
667 Programmable Logic Controller (P... 457 
1/0 Module 122 
® Confirmed 453 
Industrial Ethernet Switch 56 
Confirmed: 453 | | BB. Potential an 
Communication Module 28 
Motion Control 2 
Distributed Control System (DCS) 2 
3 
VULNERABILITIES BY VENDOR PASSIVE SENSORS LICENSE EXPIRY 


HARDWARE VENDOR COUNT 


Rockwell Automation 515 PR, 


All the details of the confirmed vulnerability are displayed. 


DASHBOARD ASSETS NETWORK VULNERABILITIES 


Industrial Control System ^^ 


Vulnerabilities Vulnerabilities 25905 


X vulnerebilities.typeDetected:*ConFirmed* © AlTime v| = 


33 


SP Pres v 1-330f 33 he & 
Total Detections 
Qu. TME SEVERITY LAST DETECTED FIRST DETECTED. ASSET RAGKISLOT 
590238 Rockwell Automation ControlLogix PLC Multiple Vulnerabilities(ICSA-13-011-03) Emm Apr 12,2022 Mar 21,2022 10.113.218.91 1/2 ct 
Reopened MPMI: 9:13 PM IST Š 
EQUIPMENT TYPE 
Programmable L 10 590238 Rockwell Automation ControlLogix PLC Multiple Vulnerabilities(ICSA-13-011-03) umm Apr 12,2022 Mar 21,2022 10.113.218.91 1/3 
Communication 7 Reopened 1:41 PMIST 13 PM IST E 
1/0 Module 3 
590549 JTEKT TOYOPUC products Denial of Service (DoS) Vulnerability (ICSA-21-103-03) sun Apr 12,2022 Mar 25,2022 10.113.218.75 
Distributed Contr. 2 
Reopened 41 PMIS SAMIST 
Other 1 
590546 JTEKT TOYOPUC Products Denial of Service (DoS) Vulnerability (ICSA-21-245-02) mmm Apr 12, 2022 Mar 25, 2022 10.113.218.75 
SEVERITY Reopened RES A ET i 
2 ss 590210 Siemens SIMATIC S7-1200 and 57-1500 CPU Families (Update A) Multiple Vulnerabilities(ICS... III Apr 12,2022 Mar 21,2022 17216801 
Reopened 41 PMI! 48 PM IS; plcxb1d0ed 
CATEGORY 
Ics 33 590401 Siemens Industrial Products (Update Q) DoS Vulnerability(ICSA-17-339-01) EH Apr 12,2022 Mar 21,2022 172.168.0.1 
Reopened AIST 8 PM IST plcxbldüed 
TYPE DETECTED 590400 Siemens PROFINET Devices (Update I) DoS Vulnerability(ICSA-19-283-02) EHE Apr 12,2022 Mar 21,2022 17216801 
Confirmed 33 Reopened 41 PMIST 8 PM IST plexbidüed 
590403 Siemens PROFINET DCP (Update S) Multiple Vulnerabilities(ICSA-17-129-02) EH Apr 12,2022 Mar 21,2022 172.168.0.1 - 
STATUS x Reopened 41 PMIST 08:48 PM IST plexb1düed = 


Dynamic dashboards help you customize the way you view your information. Qualys 
provide a default dashboard to get started. 


Viewing Unified Dashboard 


Dashboards help to visualize the assets, see the threat exposure, leverage saved searches, 
and quickly fix the priority of vulnerabilities 


Qualys Industrial Control System (ICS) integrates with Unified Dashboard (UD) to bring 
information from all Qualys applications into a single place for visualization. UD provides 
a powerful, new dashboarding framework along with platform service that will be 
consumed and used by all other products to enhance the existing dashboard capabilities. 
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Oualys Industrial Control System (ICS) offers several dashboards out-of-the-box. Each 
dashboard displays a short description of the information it offers. It is easy to configure 
widgets to pull information from other modules/applications and add them to the 
dashboard. As per reguirement many dashboards can be added to customize the view. 


See the Unified Dashboard help for more information. 
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